Mon. Jan 24th, 2022

Widely used Malware ZLoader crops up into all sorts of criminal hacking, aimed at stealing banking passwords and other sensitive data. ransomware Attack Now, a Zedloader campaign that began in November has infected nearly 2,200 victims in 111 countries by exploiting Windows bugs that Microsoft Fixed Back in 2013.

Hackers have long used various tricks to hide the malware detection tools of Zloader’s past. In this case, the attackers took advantage of a gap in Microsoft’s signature verification, an integrity test, to make sure a file was valid and trustworthy, according to security agency Checkpoint researchers. First, they will deceive victims into installing a legitimate remote IT management tool called Atera to gain access and control of the device; That part is not particularly amazing or novel. From there, though, hackers still need to install ZLoader without detecting or blocking Windows Defender or other malware scanners.

This is where almost a decade old error comes in handy. Attackers can modify a valid “dynamic-link library” file. The target DLL file is digitally signed by Microsoft, which proves its authenticity. But the attackers were able to vaguely add a malicious script to the file without affecting the Microsoft approval stamp.

Kobe Eisencraft, a malware researcher at Checkpoint, said, “When you look at a DLL-like file that has been signed, you’re sure you can trust it, but it shows that it doesn’t always happen.” “I think we’ll see more of this method of attack.”

Microsoft calls its code-signing process “authentic code.” It released a fix in 2013 that made authentication signature verification more stringent, thus flagging finely manipulated files. Originally the patch would be rolled out to all Windows users, but in July 2014 Microsoft revised its plan, making the update optional.

“As we work with customers to adapt to this change, we determine that the impact of existing software may be greater,” the company said in a statement. Wrote In 2014, this meant that the fix was creating false positives where legitimate files were flagged as potentially malicious. “Therefore, Microsoft no longer plans to implement strict verification behavior as a default requirement. The underlying functionality remains for rigorous verification, however, and can be enabled at the discretion of the customer. “

In a statement on Wednesday, Microsoft stressed that users could protect themselves through company amendments published in 2013. And as the company points out, Checkpoint researchers have observed in the Zedloader campaign that vulnerabilities can only be exploited if a device is already in place. Compromised or the attackers deceive the victims to run one of the directly manipulated files that appears to be signed. A Microsoft spokesman told Wired: “Customers who apply the update and enable the configuration indicated in the security advice will be protected.

But when OK, and this has been for all time, many Windows devices probably don’t have it enabled, since users and system administrators need to know about the patch and then Choose to set it up. Microsoft noted in 2013 that vulnerabilities were being actively exploited by hackers in “targeted attacks”.

Source link

By admin

Leave a Reply

Your email address will not be published. Required fields are marked *